Android Flaw Might Also Affect iOS, Windows

Sandboxing flaw let researchers hijack Gmail 92% of the time, and could also affect iOS and Windows.

3D Mapping Data's Future: 8 Examples

(Click image for larger view and slideshow.)

Researchers at University of California Riverside and the University of Michigan have found a flaw in Android that allows apps to be hijacked and they believe the flaw can be used to attack iOS and Windows mobile apps in the same way.

The flaw involves the fact that apps share memory space despite sandboxing, the practice designed to isolate apps from one another to avoid the problems inherent with shared memory.

Though apps on mobile devices have been designed to run code in their own sandboxes, they generally rely on a common graphic interface framework called a window manager that operates in shared memory space. The window manager is responsible for rendering graphic interface elements on the user's mobile device screen.

The attack requires a malicious app to be downloaded and to be running in the background on an Android device. The malicious app is designed to be inconspicuous, with low energy overhead and minimal permissions. Its job is to monitor the window manager memory space and infer what other apps are doing.

By watching how other apps deploy graphic elements on screen, the malicious app can understand what's going on in those apps and then inject precisely timed fake interface elements, like a login screen, to intercept login credentials or otherwise dupe the user. This technique is commonly known as a man-in-the-middle attack.

The researchers tested seven Android apps -- Amazon, Chase, Gmail, H&R Block, Hotel.com, Newegg, and WebMD -- and were able to accurately infer the interface state of the target app between 82% and 92% of the time, with the exception of Amazon's app.

Although the attack worked on Gmail 92% of the time, it fared less well with the Amazon app, working only 48% of the time. The researchers attributed this to the unpredictability of Amazon's highly variable interface and to the app's extensive use of cached data, which denied data to the malicious app.

Zhiyun Qian, an associate professor at University of California Riverside, said in an email that although he and his colleagues did not evaluate gaming apps, he suspected many would not be vulnerable to the attack. "My guess is that those apps may not be affected as they may use lower-layer graphics APIs for performance reasons," he said in an email.

The attack technique can also be used to obtain sensitive image files through what the researchers call a "camera peeking attack." Certain apps store image files only in memory because the images contain sensitive data -- such as an app that lets users photograph a check and then deposit it electronically. By monitoring interface elements, the malicious app can watch for camera usage and take a photo of its own immediately afterward without the user's knowledge, thereby obtaining a nearly identical image.

The researchers propose several ways to mitigate the flaw, such as limiting access to certain proc files (which contain information about important system processes), tightening interface animation systems to prevent stealthy replacement of genuine interface elements with fake ones, and limiting the functions available to background apps so they can't, for example, secretly take pictures.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

That is right. If there are going to be security checks from the website, there shouldn't be malicious apps tracking user sensitive data (required as login to those websites) to put to use. I think it's time developers made a meeting about such attacks and see if they could change the architecture that supports the regular checkup system in android.

Google has already moved to address this with more granular permissions in Android. Given that the technique discussed requires a malicious app to already be installed on the target device, publication of this research isn't likely to change the security situation very much. But clearly the OS vendors need to take a look at this.

Given that I use both GMail and Amazon apps, I was suitably impressed by the study as well as scared. Personal information in mobile devices is a given these days. The sophistication for Google was the fact that they didn't cache your data at client end so you had to go through their server security checkpoint every single time. But that becomes a vulnerability with a background 'man in the middle' app sniffing around now. By contrast Amazon becomes far more unpredictable to shadow like that. A look at the modern enterprise security report from HP gives more clue (bit.ly/1l8KNdv). Good share!

It makes me wonder if we'll see fewer developers taking the kitchen sink approach to applications. I see so many apps that want access to half the features of my phone which typically means I don't install it. Maybe we will get leaner apps with a little more thought put into security and walling off functions.

I think this is an interesting finding by the university. The impact of such flaw is huge. I agree that future developers will be able to take this into consideration as they improve the security of their future applications. Such information is available only to a small group of individuals specially in academia. Making this information available to the public in the end benefits developers rather than cause harm.

Thomas, negatives apart, this research will not only help developers of apps to ensure that their apps are secure but also help OS developers to define criteria which must be met if the apps are to be deployed. Must be of more interest to Android as they don't deploy much screening over apps allowed to be installed.

Thomas, the research is impressive but disclosing such weaknesses in public may invite many hackers looking for an idea and now they have it. I think Android, iOS and Windows will not be excited at the university researchers disclosing these facts in conferences followed by masses.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.

Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."